Current mechanisms, including application programming interfaces (APIs) and Discretionary Access Control Lists (DACLs), for implementing an authorization policy for applications and services support a model of static authorization policy, which includes both static policy data and static policy evaluation algorithms. In a simple example, static data might include assigning a user an access level number from 1 to 5, and static evaluation algorithms might include an if-then-else structure wherein access is determined relative to the access level number assigned to a user. Static policy data and policy evaluation algorithms can be considerably more complex, but at the root of such static data and evaluation algorithms is that the policy data does not vary from one policy evaluation to the next (unless the data has been administratively reconfigured), and the evaluation algorithm enforced by the authorization mechanism does not vary, regardless of policy configuration, and does not take into account nonstatic policy data (i.e., data that varies from one evaluation to the next, barring administrative policy data changes).
For example, a conventional technique based upon a static authorization model is illustrated in FIG. 1. Pursuant to a request for access to some object or property, an Access Control List (ACL) evaluation routine is initiated at 300. At 310, 315 and 320, serial determinations are made pursuant to the ACL evaluation as to whether permission may be granted for the requested object or property. In this instance, access to a document is being requested. Thus, questions (each an evaluation of asserted policy data) such as whether the requester is an authorized manager 310, whether the requestor is an administrator 315 and whether the requester is a security personnel 320 are answered. The static policy evaluation algorithm is “if the requestor matches any of the asserted identities, then grant access at 325, otherwise deny access.” To add or remove an authorization policy assertion, the underlying ACL is altered to contain an additional Access Control Entry (ACE) or to remove an ACE. Reflecting the static nature of the policy evaluation algorithm, it is not possible to change the way in which the series of policy assertions are evaluated. For example, it's not possible to assert that the requestor must match all (rather than any) of the identities in order to grant access. Nor is it possible to make a policy assertion (e.g., access granted only between the hours of 9 AM and 5 PM) that requires non-static data (e.g., the current time of day) for policy evaluation.
It is thus often desirable to grant access privileges to applications, services, and various objects based upon dynamic factors i.e., based upon factors that may change from one access evaluation to the next, even for the same requester. Within an organization, for example, people are promoted or given new privileges. For another example, the amount of an expense report may change over time. Similarly, the client context can change too if hardware and/or software on the machine is altered, which could happen, for instance, if an administrator or other machine in an associated computer system changes a characteristic of the client. Thus, the client and user data upon which access decisions are based can grow considerably more complex over time with the result being that the ability to define data and policy that can account for such potential change provides a great deal of flexibility to the developer. While custom code has been written for some applications that has provided access decision-making based upon dynamic factors and policies, custom code implies lack of transportability or cross-applicability.
Thus, it would be desirable to specify, according to standard APIs and DACLs, access data based upon dynamic factors, such as client attributes, client operation parameter values, and system environment variables for use in connection with an access policy. It would be further desirable to specify access policy according to dynamic factors, wherein unique formats and routines are provided for dynamically computing permission to use a requested object or to perform tasks.